Activating Remote Administration on IIS 3.0

Whether you are using the command-line remote administration Fpremadm utility or the server extensions HTML Administration Forms to administer an IIS 3.0 server remotely, you need to activate the HTML Administration Forms using the method described in this topic.

You should run the HTML Administration Forms over a secured port. It is not possible to use a secured port unless the server has a security certificate installed. If you do not already have a security certificate before activating the HTML Administration Forms, use the Key Manager application to make a security certificate request, submit the request to a key authority, and then use the Key Manager application to install the certificate returned by the key authority. The IIS documentation contains more details on this process.

Once you have a security certificate, the following steps activate the HTML Administration Forms for remote use in as secure a way as possible.

Determine the Windows NT machine account (or group of accounts) that will be granted access to the HTML Administration Forms.

This account should be a member of the machine's Administrators group. If necessary, create a new account using the Windows NT User Manager. Depending on the machine's account configuration, giving access to the Administrators group may be a good alternative to giving access to multiple individual machine accounts.

Open the Windows Explorer at the hard drive location of the HTML Administration Forms, which by default is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\. Select the Admisapi folder, click Properties on the File menu, and then click Permissions on the Security tab.

In the Directory Permissions dialog box, update the Name list of authorized users and groups by using the Add and Remove buttons.

Remove all users and groups that are not authorized. In particular, make sure that no group that is added to the list contains the IUSR_machinename anonymous access account, and that any wide-access accounts such as EVERYONE are removed.

In the Name list, type the machine's SYSTEM account.

This account is required to allow IIS to access the file during the security validation process.

For each user or group in the Name list, change Type of Access to Read.

Click Replace Permissions on Subdirectories and Replace Permissions on Existing Files, and click OK to accept the changes. Click OK again to close the folder Properties dialog box.

Next, you will create a virtual root for the HTML Administration Forms.

Start the IIS Internet Service Manager application.

Double-click on the WWW service to edit the service properties.

On the Directories tab, click Add.

In the Directory field, enter the location of the Admisapi folder, usually
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\Admisapi.

In the Alias field, type /fpadmin

For Access, click Read and Execute.

Click Require secure SSL channel.

Click OK twice to accept the changes.

The forms are now activated for remote administration when you browse to a URL such as https://mymachine/fpadmin/fpadmin.htm